Package: python2.3 Version: 2.3.5-15 Severity: normal Hi,
in the source file python2.3-2.3.5/Modules/binascii.c I notice the following bits of code (starting at line 1048): /* We allocate the output same size as input, this is overkill. * The previous implementation used calloc() so we'll zero out the * memory here too, since PyMem_Malloc() does not guarantee that. */ odata = (unsigned char *) PyMem_Malloc(datalen); if (odata == NULL) { PyErr_NoMemory(); return NULL; } memset(odata, datalen, 0); and (starting at line 1213): /* We allocate the output same size as input, this is overkill. * The previous implementation used calloc() so we'll zero out the * memory here too, since PyMem_Malloc() does not guarantee that. */ odata = (unsigned char *) PyMem_Malloc(odatalen); if (odata == NULL) { PyErr_NoMemory(); return NULL; } memset(odata, odatalen, 0); This will not work as intended since the third memset argument should be the length of the buffer. The memset prototype is void *memset(void *s, int c, size_t n); I did not analyse what the implications of this bug are, but I think it should befixed anyway (if nothing else, then to prevent others from copying this bit of code). I hope this helps, Jochen -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17.13 Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15) Versions of packages python2.3 depends on: ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries ii libdb4.3 4.3.29-6 Berkeley v4.3 Database Libraries [ ii libncurses5 5.5-4 Shared libraries for terminal hand ii libreadline5 5.1-9 GNU readline and history libraries ii libssl0.9.8 0.9.8c-3 SSL shared libraries ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages python2.3 recommends: pn python2.3-cjkcodecs | python2 <none> (no description available) pn python2.3-cjkcodecs | python2 <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]